PHP值未在更新查询中传递

时间:2017-04-10 13:37:38

标签: php mysql

我在寻找为什么我的mysql无效,但在这种情况下找不到任何帮助我的东西。

我的问题是,我希望通过在update中使用特定ID在其中插入日期来$_GET我的数据库。以下是:

$date = date('Y-m-d', time());

session_start();
header( 'content-type: text/html; charset=utf-8' );
require_once("cnx_db_inventory.php");
$idComputer=$_GET['idComputer'];
$query="select computer.computer_id,
    computer.computer_name
    from computer
    where computer.computer_id='$idComputer'";
$data = get_array($query);
foreach($data as $value) {
    $computername=$value['computer_name'];
}

//Update the database
if(isset($_GET['validate'])){
    $idComputer;
    $query="UPDATE computer
    SET deleted_date='$date'
    WHERE computer.computer_id=$idComputer";
    mysql_query($query);
    echo $query;
}

我的echo我的查询看起来像是验证了:

UPDATE computer SET deleted_date='2017-04-07' WHERE computer.computer_id=

如果我把一些引号('')加到$idComputer,那么回音就给了我这个:

UPDATE computer SET deleted_date='2017-04-07' WHERE computer.computer_id=”

但如果我在isset()之外回声,它就会给我一个id(见here)。 为什么然后,当我点击验证时,computer_id没有通过?

我的表格如下:

<form id="general" name="general" action="delete.php" method="get">
    Are you sure you want to delete this?<br />
    <strong><font size="2" color ="black">Computer name </font></strong>
    <input type="text" id="computername" name="computername" value="<?php echo $computername;?>"/><br />
    <input type="submit" name="validate" value="Validate" class="button">
    <input type="submit" name="cancel" class="button" value="Cancel" onClick="general.action='researchInventory.php'; return true;"/>
</form>

我尝试将$IdComputer放在isset中,但不会改变任何内容。我之前遇到过类似的问题,这有助于我修复它,但不是在这种情况下。我尝试在if(){}之外传递mysql_query。我尝试在computer.deleted_date中调用SELECT,但没有任何好处。

我尝试使用值为computer_id的隐藏输入,尝试$_post方法(使用此one查找),但在验证时没有任何变化!无论如何computer_id都没有通过。

class DBConnection{
private static $_singleton;
private $_connection;
private function __construct(){
    $ip =$_SERVER['REMOTE_ADDR'];
    $this->_connection = @mysqli_connect(DB_HOST, DB_USER, DB_PASS,DB_NAME) or die("Could not connect to database");
mysqli_set_charset($this->_connection,"utf8");
}
public static function getInstance(){
    $ip =$_SERVER['REMOTE_ADDR']; 
    if (is_null (self::$_singleton)) {
        self::$_singleton = new DBConnection();
            mysqli_set_charset('utf8');//Line 20;
    }
        return self::$_singleton;
    }
    public  function getHandle(){
        return $this->_connection;
    }
}

2 个答案:

答案 0 :(得分:0)

工作示例:添加POST方法只是因为我不喜欢GET那么多:)和一个带ID的隐藏字段

<?php

error_reporting(E_ALL);
ini_set('display_errors', 1);

include"config.inc.php"; // only DB parameters in here

$mysqli = mysqli_connect("$host", "$user", "$mdp", "$db");

if (mysqli_connect_errno()) { echo "Error connecting : " . mysqli_connect_error($mysqli); }

$id = $_GET['id']; /* assuming that your reach this page with an URL parameter ?id=3 ou any number */
echo"[ 1st check on ID -> $id ]";

// TODO -> clean var ID and check if set/numeric

if(isset($id)) {

/* prepare select */

$query = " SELECT computer_id, computer_name FROM computer WHERE computer_id=? ";
$stmt = $mysqli->prepare($query);

$stmt->bind_param("s", $id); /* if integer ID -> 's' becomes 'i' */

$results = $stmt->execute();
$stmt->bind_result($computer_id, $computer_name);
$stmt->store_result();

if ($stmt->num_rows > 0) {

while($stmt->fetch()){
echo"[ $computer_id -> $computer_name ]<br />";
}
}
else { echo"[ no data ]"; }

//$stmt->free_result();

} else { echo"[ no ID defined ! ]"; }

// Update the database
if(isset($_POST['validate'])){

$date = date('Y-m-d', time());
$idComp = $_POST['computerID'];

/* prepare update */

$query1 = " UPDATE computer SET deleted_date=? WHERE computer_id=? ";
$stmt1 = $mysqli->prepare($query1);

$stmt1->bind_param("ss", $date, $idComp); /* if integer ID -> 'ss' becomes 'si' */

if (!$stmt1->execute()) { echo"false -> update failed"; echo $stmt1->error; } else { echo"true -> update ok"; }

$stmt1->free_result();
}

?>

<form id="general" name="general" action="delete.php" method="post">
<input type="hidden" id="computerID" name="computerID" value="<?php echo"$computer_id"; ?>" />
Are you sure you want to delete this ?<br />
<strong>Computer name</strong>
<input type="text" id="computername" name="computername" value="<?php echo"$computer_name"; ?>" /><br />
<input type="submit" name="validate" value="Validate" class="button" />
</form>

编辑:由于mysql_ *在PHP 5.5中已被弃用(请参阅PHP doc),您应该更喜欢PPS : Prepared Parameterized Statements。这将有助于Preventing SQL injection

答案 1 :(得分:-1)

$idComputer=$_GET['idComputer'];
$query="select computer.computer_id,
    computer.computer_name
    from computer
    where computer.computer_id='$idComputer'";

.
.
.

$query="UPDATE computer
    SET deleted_date='$date'
    WHERE computer.computer_id=$idComputer";

computer.computer_id是字符串型列吗?如果是这样,则update语句中的值必须是单引号。

另外,这是非常糟糕的做法。有人可以访问http://yoursite.com/yourscript.php?idComputer=Boston';DROP TABLE computer;--,真的搞砸了你。您应该使用预准备语句,或者至少使用mysql_escape_string()函数。

同样的想法也适用于您的HTML输出。

<input type="text" id="computername" name="computername" value="<?php echo $computername;?>"/><br />

这应该是

<input type="text" id="computername" name="computername" value="<?php echo htmlspecialchars($computername); ?>"/><br />
相关问题
最新问题